phorphiex | 260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651df

Analysis

max time kernel
120s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
Size

2.8MB
MD5

cc98eb6a147cf80ce8eded7842d4eb90
SHA1

7ef3a84fea0deee9705da930483a36a8a0c9ed31
SHA256

260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651df
SHA512

5881d2112725bdd6ec996c2812e093a604252bb1a31428f58bf8aa5946f6cade72a5111b08ac10a29f8a7e18b1fe7977130fd2aa215d2efe7a7068dffb931290
SSDEEP

49152:0ljHdG8GcuzCO4XKaYRwXUtyqcM8pdIcA69j7GUsRTd8sxjOPJnUl68QFy13Tgbw:UjxDuzCOQg+9j7YdOPJ8xQxw

Score

10^/10

phorphiex xmrig discovery execution loader miner persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
753f85d83d
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

http://185.215.113.66

http://185.215.113.84

Attributes

mutex
Klipux

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b62-20.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2020 created 3424	2020	1410531124.exe	56
PID 2020 created 3424	2020	1410531124.exe	56
PID 932 created 3424	932	winupsecvmgr.exe	56
PID 932 created 3424	932	winupsecvmgr.exe	56
PID 932 created 3424	932	winupsecvmgr.exe	56

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/932-473-0x00007FF7CC1C0000-0x00007FF7CC757000-memory.dmp	xmrig
behavioral2/memory/3316-484-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp	xmrig
behavioral2/memory/3316-486-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp	xmrig
behavioral2/memory/3316-489-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp	xmrig
behavioral2/memory/3316-491-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp	xmrig
behavioral2/memory/3316-493-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	1567831992.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe

Deletes itself 1 IoCs

pid	Process
3696	NativeUpdater.exe

Executes dropped EXE 15 IoCs

pid	Process
4156	8443.exe
3696	NativeUpdater.exe
4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
3628	1156717982.exe
2476	sysnldcvmr.exe
3476	1567831992.exe
2560	2985919836.exe
5112	331248294.exe
208	3342028962.exe
2020	1410531124.exe
932	winupsecvmgr.exe
3704	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1400	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
2552	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1260	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe

Loads dropped DLL 17 IoCs

pid	Process
4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
3704	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
3704	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
3704	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
3704	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
3704	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1400	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1400	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1400	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1260	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1260	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1260	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
2552	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
2552	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
2552	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	1156717982.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3392	powershell.exe
4496	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 932 set thread context of 4752	932	winupsecvmgr.exe	124
PID 932 set thread context of 3316	932	winupsecvmgr.exe	125

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	1156717982.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	1156717982.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NativeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1156717982.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3342028962.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2985919836.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	331248294.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8443.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{2821D4BF-4BB0-4804-8BAE-E7DABCE9E75A}	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3476	1567831992.exe
2020	1410531124.exe
2020	1410531124.exe
3392	powershell.exe
3392	powershell.exe
2020	1410531124.exe
2020	1410531124.exe
3704	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
3704	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1400	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1400	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1260	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
1260	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
2552	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
2552	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
932	winupsecvmgr.exe
932	winupsecvmgr.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
932	winupsecvmgr.exe
932	winupsecvmgr.exe
932	winupsecvmgr.exe
932	winupsecvmgr.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3696	NativeUpdater.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	1567831992.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeIncreaseQuotaPrivilege	3392	powershell.exe
Token: SeSecurityPrivilege	3392	powershell.exe
Token: SeTakeOwnershipPrivilege	3392	powershell.exe
Token: SeLoadDriverPrivilege	3392	powershell.exe
Token: SeSystemProfilePrivilege	3392	powershell.exe
Token: SeSystemtimePrivilege	3392	powershell.exe
Token: SeProfSingleProcessPrivilege	3392	powershell.exe
Token: SeIncBasePriorityPrivilege	3392	powershell.exe
Token: SeCreatePagefilePrivilege	3392	powershell.exe
Token: SeBackupPrivilege	3392	powershell.exe
Token: SeRestorePrivilege	3392	powershell.exe
Token: SeShutdownPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeSystemEnvironmentPrivilege	3392	powershell.exe
Token: SeRemoteShutdownPrivilege	3392	powershell.exe
Token: SeUndockPrivilege	3392	powershell.exe
Token: SeManageVolumePrivilege	3392	powershell.exe
Token: 33	3392	powershell.exe
Token: 34	3392	powershell.exe
Token: 35	3392	powershell.exe
Token: 36	3392	powershell.exe
Token: SeIncreaseQuotaPrivilege	3392	powershell.exe
Token: SeSecurityPrivilege	3392	powershell.exe
Token: SeTakeOwnershipPrivilege	3392	powershell.exe
Token: SeLoadDriverPrivilege	3392	powershell.exe
Token: SeSystemProfilePrivilege	3392	powershell.exe
Token: SeSystemtimePrivilege	3392	powershell.exe
Token: SeProfSingleProcessPrivilege	3392	powershell.exe
Token: SeIncBasePriorityPrivilege	3392	powershell.exe
Token: SeCreatePagefilePrivilege	3392	powershell.exe
Token: SeBackupPrivilege	3392	powershell.exe
Token: SeRestorePrivilege	3392	powershell.exe
Token: SeShutdownPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeSystemEnvironmentPrivilege	3392	powershell.exe
Token: SeRemoteShutdownPrivilege	3392	powershell.exe
Token: SeUndockPrivilege	3392	powershell.exe
Token: SeManageVolumePrivilege	3392	powershell.exe
Token: 33	3392	powershell.exe
Token: 34	3392	powershell.exe
Token: 35	3392	powershell.exe
Token: 36	3392	powershell.exe
Token: SeIncreaseQuotaPrivilege	3392	powershell.exe
Token: SeSecurityPrivilege	3392	powershell.exe
Token: SeTakeOwnershipPrivilege	3392	powershell.exe
Token: SeLoadDriverPrivilege	3392	powershell.exe
Token: SeSystemProfilePrivilege	3392	powershell.exe
Token: SeSystemtimePrivilege	3392	powershell.exe
Token: SeProfSingleProcessPrivilege	3392	powershell.exe
Token: SeIncBasePriorityPrivilege	3392	powershell.exe
Token: SeCreatePagefilePrivilege	3392	powershell.exe
Token: SeBackupPrivilege	3392	powershell.exe
Token: SeRestorePrivilege	3392	powershell.exe
Token: SeShutdownPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeSystemEnvironmentPrivilege	3392	powershell.exe
Token: SeRemoteShutdownPrivilege	3392	powershell.exe
Token: SeUndockPrivilege	3392	powershell.exe
Token: SeManageVolumePrivilege	3392	powershell.exe
Token: 33	3392	powershell.exe
Token: 34	3392	powershell.exe
Token: 35	3392	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 4156	3548	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	85
PID 3548 wrote to memory of 4156	3548	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	85
PID 3548 wrote to memory of 4156	3548	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	85
PID 3548 wrote to memory of 3696	3548	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	87
PID 3548 wrote to memory of 3696	3548	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	87
PID 3548 wrote to memory of 3696	3548	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	87
PID 3696 wrote to memory of 4292	3696	NativeUpdater.exe	89
PID 3696 wrote to memory of 4292	3696	NativeUpdater.exe	89
PID 3696 wrote to memory of 4292	3696	NativeUpdater.exe	89
PID 4156 wrote to memory of 3628	4156	8443.exe	94
PID 4156 wrote to memory of 3628	4156	8443.exe	94
PID 4156 wrote to memory of 3628	4156	8443.exe	94
PID 3628 wrote to memory of 2476	3628	1156717982.exe	96
PID 3628 wrote to memory of 2476	3628	1156717982.exe	96
PID 3628 wrote to memory of 2476	3628	1156717982.exe	96
PID 2476 wrote to memory of 3476	2476	sysnldcvmr.exe	99
PID 2476 wrote to memory of 3476	2476	sysnldcvmr.exe	99
PID 3476 wrote to memory of 768	3476	1567831992.exe	100
PID 3476 wrote to memory of 768	3476	1567831992.exe	100
PID 3476 wrote to memory of 2240	3476	1567831992.exe	102
PID 3476 wrote to memory of 2240	3476	1567831992.exe	102
PID 768 wrote to memory of 744	768	cmd.exe	104
PID 768 wrote to memory of 744	768	cmd.exe	104
PID 2240 wrote to memory of 384	2240	cmd.exe	106
PID 2240 wrote to memory of 384	2240	cmd.exe	106
PID 2476 wrote to memory of 2560	2476	sysnldcvmr.exe	108
PID 2476 wrote to memory of 2560	2476	sysnldcvmr.exe	108
PID 2476 wrote to memory of 2560	2476	sysnldcvmr.exe	108
PID 2476 wrote to memory of 5112	2476	sysnldcvmr.exe	109
PID 2476 wrote to memory of 5112	2476	sysnldcvmr.exe	109
PID 2476 wrote to memory of 5112	2476	sysnldcvmr.exe	109
PID 2476 wrote to memory of 208	2476	sysnldcvmr.exe	110
PID 2476 wrote to memory of 208	2476	sysnldcvmr.exe	110
PID 2476 wrote to memory of 208	2476	sysnldcvmr.exe	110
PID 5112 wrote to memory of 2020	5112	331248294.exe	111
PID 5112 wrote to memory of 2020	5112	331248294.exe	111
PID 4292 wrote to memory of 3704	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	117
PID 4292 wrote to memory of 3704	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	117
PID 4292 wrote to memory of 3704	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	117
PID 4292 wrote to memory of 1400	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	119
PID 4292 wrote to memory of 1400	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	119
PID 4292 wrote to memory of 1400	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	119
PID 4292 wrote to memory of 2552	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	120
PID 4292 wrote to memory of 2552	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	120
PID 4292 wrote to memory of 2552	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	120
PID 4292 wrote to memory of 1260	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	121
PID 4292 wrote to memory of 1260	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	121
PID 4292 wrote to memory of 1260	4292	260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe	121
PID 932 wrote to memory of 4752	932	winupsecvmgr.exe	124
PID 932 wrote to memory of 3316	932	winupsecvmgr.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
  "C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\8443.exe
    "C:\Users\Admin\AppData\Local\Temp\8443.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\1156717982.exe
      C:\Users\Admin\AppData\Local\Temp\1156717982.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3628
    - - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Users\Admin\AppData\Local\Temp\1567831992.exe
        
        C:\Users\Admin\AppData\Local\Temp\1567831992.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:384
      - C:\Users\Admin\AppData\Local\Temp\2985919836.exe
        
        C:\Users\Admin\AppData\Local\Temp\2985919836.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
      - C:\Users\Admin\AppData\Local\Temp\331248294.exe
        
        C:\Users\Admin\AppData\Local\Temp\331248294.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\1410531124.exe
        
        C:\Users\Admin\AppData\Local\Temp\1410531124.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\3342028962.exe
        
        C:\Users\Admin\AppData\Local\Temp\3342028962.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:208
- - C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe
    tools\NativeUpdater.exe 260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe 260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe.tmp --nativeLauncherVersion 788 --nativeLauncherVersion 788
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
      260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe --nativeLauncherVersion 788 --nativeLauncherVersion 788
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe" --type=gpu-process --field-trial-handle=2104,9334290126743004157,10435758065319351464,131072 --enable-features=CastMediaRouteProvider --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2112 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,9334290126743004157,10435758065319351464,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2572 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2104,9334290126743004157,10435758065319351464,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2724 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2104,9334290126743004157,10435758065319351464,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:4752
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:3316

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}
1⤵
- System Location Discovery: System Language Discovery
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H6N4U6J0\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c77ce1db08e7f1b2bc9896a13b4f7a5

SHA1
3de7b852f908b16834f9484bce8eebd4d7389ec1

SHA256
dcb3cb7065cee59e6f4e62405ef4c5418a04a35a1ac04db0b846851bc7ec967f

SHA512
5244fa2ce993c07dfbbeac86360c2e49e86c0957a016624251e917223b0d1c0afd5fefdf17b397b298c194b5699c8696dd7e59f379d6eae98665be361f077b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1156717982.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1410531124.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\AppData\Local\Temp\1567831992.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe.tmp

Filesize
3.2MB

MD5
e8c86a94df2f0a4c5edfa59cfc420329

SHA1
4212cb446a2dce87225ca20ba45e10befb084062

SHA256
60c59edec70f5cd7d1cf880e7a1475de6f73932dc23ae913f9c7dfeaf52489e1

SHA512
273298886ff9466a28caae48e59d701fc1519ba39196ff5abac8c52b0d00e21be00e852ff453ed659fcf2c7cc980c138bf162a4dc8453d84fc542df451880e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2985919836.exe

Filesize
49KB

MD5
6946486673f91392724e944be9ca9249

SHA1
e74009983ced1fa683cda30b52ae889bc2ca6395

SHA256
885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd

SHA512
e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\331248294.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3342028962.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8443.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esuzbxt3.n2w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef.pak

Filesize
1.9MB

MD5
fa6c54291dcc13acc9dbec30923fe503

SHA1
8f157cc1ab1c18bf47305543b149604797cd6587

SHA256
455dd904ba68305f45682ae9c776a87cb2cb67bbe2d20e13cf97a812b68cf5f4

SHA512
135773297e6481f66d53a6a6bb887e0e0ba17ded9f76e2cef2db48a095a4c301eda84feb46f2a44425f4d34accd72765ee324d30a0692aa0c6d2c513166d51de

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef_100_percent.pak

Filesize
261KB

MD5
4cec40309dc9e4bf0f0cc915aeb6c9ac

SHA1
2da1b18943265f473f6b87b63132dbb2398ff487

SHA256
6267cb52b0ca5593cf402139e736eb4f1d6bc3f2eab4c6deb99934711050ef4f

SHA512
e684d4d735762e87c8556c164379f97f59b8b4077e2f4c49ae43610ca2a3994ad45839cf6edef4e741a4f1fb345413e4246fb5901dd52bd98c9a2f60866817c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef_200_percent.pak

Filesize
412KB

MD5
50a6d9ab74ebfaeda5baa28997149977

SHA1
1ad557cecf3d54a5fbe471ceab189d344fef347c

SHA256
c8f7697bdb4aa19722b975dd2126baf8c2edb5c0a58e2d64a6fefa4cbb8335ec

SHA512
31647191b432f82ff24a41a16abb77512bed2f3105791079d795304452e2bff89f618202023fd133cdc79f80d02647093edebca9e43c19cbd4d2bed4c8d35180

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef_extensions.pak

Filesize
1.2MB

MD5
c294094045246da46492204f2920d74f

SHA1
229367ac0be0a2da9d6338cba6f45c07f790140c

SHA256
8e8882c3d420231e1ddd1329e259cd8dc38fe392727aa74cfa4df57125d4cfb3

SHA512
03543e3c436a8b42b3f5bb942de468b4898172720ddef5597535b81347581ae0c89bf91e6bef3b91c796ca5bd393a865b2fa53ba70b2fda6578c640b14ab92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\chrome_elf.dll

Filesize
810KB

MD5
4c8f4689e087a9843a79d6ec923f00df

SHA1
e6e37e19a04a55944bdfba6f9359bbe0ea8402fc

SHA256
8753acc450280e1c5ef5a09dac46d1fd873f1e66d771affc4b4afbfa3d59e3c4

SHA512
30b205bb4b391b23a7bb15248daa42af3ec34225d169a0d70325ea7e1422d298ea3376962e689311074346dd7aec3579789748e3aaa17b04ab72de6c0a0fc5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\icudtl.dat

Filesize
10.0MB

MD5
9732e28c054db1e042cd306a7bc9227a

SHA1
6bab2e77925515888808c1ef729c5bb1323100dd

SHA256
27993e2079711d5f0f04a72f48fee88b269604c8e3fbdf50a7f7bb3f5bfc8d8e

SHA512
3eb67ab896a56dab4a2d6eea98f251affd6864c5f5b24f22b61b6acc1df4460d86f0a448f1983aac019e79ff930286c3510891be9d48ef07a93ff975a0e55335

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\libEGL.dll

Filesize
315KB

MD5
e646266652e470489b912c39d4bbfacf

SHA1
fb5af43ba527f0b03f6e5db0dba870df7acecf77

SHA256
e2b31cbbbd97c2d098a44acd5e1c84e092f4bf4c535fe6ebc3703a78387c03a9

SHA512
fe5ca9d6dc63ca6982702072aa34ada2d43c3c781e1fac09e324b17b3ed05bb8d203c3c08c0fe4aaf8985781933a8a3f2cd8e4928b0fe567c46a8da46f481b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\libGLESv2.dll

Filesize
6.6MB

MD5
79d62a3663c1963c90ed84045e0450ac

SHA1
cd3b444ec31e78c7bef960f91548de1e1f2ae487

SHA256
896cd68e51fb5c4937717e350b911d5dd18dc285f466fb712ccb0578fff1365e

SHA512
2da35a7db00ad3c22de448abfe3eb4425088b51db0f093dcfb0e934edee40567ebc8cd1bf0768bb1a43a397a49ce5d388edf2427fcc09eb48033b8baea918520

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\locales\en-US.pak

Filesize
225KB

MD5
16a6914c9637812257e28b2cc4e6d809

SHA1
82212a642c90b51b8f67e517ee8782da841b658f

SHA256
8fe734f556d97e7c07d02e839a16565f7db88ca7091ca3903a9b153a68aaaf72

SHA512
6efbab68c8b036fd73951295a5f65718003deea46db838f6f263133452e09be45ce006246850facbb1922766f42c2ce1796722cecfcc8495921a7bcd9402a446

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\v8_context_snapshot.bin

Filesize
167KB

MD5
cdeec3342ce88d4de5426032a6bf6a53

SHA1
b36ec3c3b20a7a06ff282d696f12b51904b073a4

SHA256
ca88a3c7034da1de52d35823fba0fe80ba5376ab70cdc1841e6aaf25c1f5dd6e

SHA512
54874cd76589124b750fdae90be75e1acf374566d56352c15dbbee98c095aad0e56db142952a808b08e4817bf5f8e176ffdc4ff79110d8661ee4f7ede16b2ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe

Filesize
959KB

MD5
69f6d2214bfcafa9236c1747b398a1af

SHA1
c3bbb7986ab728493a05c57dcb7f1a383258f3c9

SHA256
f13212b3462edbd5cd14d81b5397bf2f0281cc221c5464f4875c0ab0b84fe884

SHA512
59d55fa5a8d0518bf645001742e5ec0bbb0af6ca9203ed46ca9cc453e5be883de11e978bdfd68677a5f3653ee7a97cc1eeb8633fd4c5ece95790d166d1b22cd8

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt

Filesize
173B

MD5
499f26e380be5515b3b9f10798847928

SHA1
d0a61386882dcc2b142ceb6c179ffad657505ad8

SHA256
81d66a0592415249940cd50c93ff3100398e2e14de11b6166e3c6796e45c1d07

SHA512
c4e69faf5947f8473e84bcef2b23fc6e3ca98158a339f5f13269430a28f402e62d91a7dd069c2c5e909df835aa74c3aefb12cb55b0ed365e06c377a789dfcb09

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_log.txt

Filesize
2KB

MD5
ba2d3eb86e9c3edb2890002b5b16dbba

SHA1
e27c1bf63aa1f960b76a04a1a65e06d38aa75991

SHA256
04132ec794493bb74e1dd48b04790835061709ea40a10b2f3e8ef09faa62ae03

SHA512
88aca3d1ce35228996d0c968d359635bb44e8a9a37f4db2d374b2c0366ade6b56ccfe071d62644f53fc626190a4eb7ad02d95701c7a6c789850ed675aceb2c17

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_settings.json

Filesize
128B

MD5
270ade77b4358d215f30e625a2b172f6

SHA1
c407dcca0525ba0bb9d9c5d63ac78f7aa03ae03a

SHA256
7afa6b9dacfb8d546c8f9c386601999232fa9aa6bcc9879503ab2433e053c3c5

SHA512
af56d5ec7d603284db4fe340f5f5fc00c48b0e3d065660cb3d40088e6c4c35675cb7eaa6504803a11120d49e40d7aeb0f5321aacef79e5b074369722056bcd62

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
50a157348f7a4b04292990ef4d97b5e0

SHA1
b394acd628cf332c6a97267932849d2eb218917b

SHA256
4fa120e9a6923eef699252a2677bb5b9be1b73f62aa38a7017dfd832e93603ef

SHA512
18b82e8cd48f2869a6e77cd18caa17a4ed12cc263cac650f1fbb0f1086e583798f79ffdf0e12e010760a155e0188cd3d32cbd556b4dce51c4c2f6414f4b9e0cb

Download Submit
memory/932-473-0x00007FF7CC1C0000-0x00007FF7CC757000-memory.dmp

Filesize
5.6MB

Download
memory/2020-387-0x00007FF7D58E0000-0x00007FF7D5E77000-memory.dmp

Filesize
5.6MB

Download
memory/3316-484-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp

Filesize
7.9MB

Download
memory/3316-474-0x000002BF6C420000-0x000002BF6C440000-memory.dmp

Filesize
128KB

Download
memory/3316-486-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp

Filesize
7.9MB

Download
memory/3316-489-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp

Filesize
7.9MB

Download
memory/3316-491-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp

Filesize
7.9MB

Download
memory/3316-493-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp

Filesize
7.9MB

Download
memory/3392-361-0x00000178E7000000-0x00000178E7022000-memory.dmp

Filesize
136KB

Download
memory/3476-44-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/4752-483-0x00007FF777E50000-0x00007FF777E79000-memory.dmp

Filesize
164KB

Download
memory/4752-485-0x00007FF777E50000-0x00007FF777E79000-memory.dmp

Filesize
164KB

Download